A Wisconsin-based security firm says that a gang of Russian cybercriminals is responsible for accumulating more stolen internet credentials than ever previously reported, according to the New York Times.

The paper reported on Tuesday that Hold Security of
Milwaukee believes that 1.2 billion username and password
combinations, as well as over 500 million email addresses, have
been compromised by a group of hackers working closely together
out of a small city in south central Russia.

Alex Holden, Hold Security’s founder and chief information
security officer, told journalists at the Times that the stolen
records were lifted by the hackers from around 42,000 websites
from all realms of the web.

“Hackers did not just target US companies, they targeted any
website they could get, ranging from Fortune 500 companies to
very small websites,” Holden told the Times. “And most
of these sites are still vulnerable.”

Yet even after other recent security breaches have spawned calls
from both the public and political spheres for increased
protection on the web, the Times reported that the latest
discovery spotted by Holden’s crew “dwarfs those
incidents,” including last year’s high-profile hack of
retailer Target and the subsequent stealing of roughly 40 million
credit card numbers and other sensitive data.

Holden told the paper that his team has begun the process of
alerting victims of the breach, but said “Most of these sites
are still vulnerable” when he spoke to journalists at the
Times ahead of the Tuesday article.

“Hold Security would not name the victims, citing
nondisclosure agreements and a reluctance to name companies whose
sites remained vulnerable. At the request of The New York Times,
a security expert not affiliated with Hold Security analyzed the
database of stolen credentials and confirmed it was
authentic,” Nicole Perlroth and David Gelles wrote for the
Times. “Another computer crime expert who had reviewed the
data, but was not allowed to discuss it publicly, said some big
companies were aware that their records were among the stolen
information.”

According to Holden, the operation is spearheaded by a group of
roughly a dozen hackers in their 20s who first made a splash by
buying stolen data off the black market, but then began to work
with another, unnamed hacking collective, he believes, this past
April.

“There is a division of labor within the gang,” Holden
told the paper. “Some are writing the programming, some are
stealing the data. It’s like you would imagine a small company;
everyone is trying to make a living.”

According to the Hold Security founder, no nexus has been
identified linking the hackers to the Russian government. Earlier
this year, however, the US Department of Justice indicted several
Chinese individuals accused of committing computer intrusions on
behalf of the nation’s People Liberation Army, and later
acknowledged that authorities were aiming to take down
cybercriminals in Russia as well. Then last month, the
30-year-old son of a Russian MP was apprehended by US authorities
abroad and charged with stealing and selling US citizens’ credit
card data between 2009 and 2011.